For HA to work, you need a specific VPN accelerator card inserted in the router. I forgot the card's name
With regards Kings On Sat, Jun 23, 2012 at 8:35 AM, Eugene Pefti <[email protected]>wrote: > What about router platforms? Will I have a chance to test it with 1841 > or 2800 routers? At least IPExperts lab gives an example of statefull IPSec > HA with 2811 routers. > > Eugene > Sent from iPhone > > On Jun 22, 2012, at 7:57 PM, "Kingsley Charles" < > [email protected]> wrote: > > Yes, you need a reload for HA to work. > > With regards > Kings > > On Sat, Jun 23, 2012 at 12:10 AM, Eugene Pefti <[email protected]>wrote: > >> Bruno and all,**** >> >> I have a stupid question to ask. The white paper given below says that >> IPSec HA is supported only by high-end routers.**** >> >> I didn’t have any problem adding all required commands on 1841 router but >> didn’t test it yet because I still don’t understand all the nitty-gritty >> details about it specifically about routers to be reloaded for the >> configuration to take effects.**** >> >> Moreover the configs in this white paper miss “local-port” statement that >> should go before “local-ip”. **** >> >> I don’t know who in the sound mind will remember all the commands >> required to set interdevice communication to enable stateful IPSec failover. >> **** >> >> Hoping that VPN availability guide is accessible during the lab in case >> such a task**** >> >> >> http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-state-fail-ipsec.html >> **** >> >> ** ** >> >> Eugene**** >> >> ** ** >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Bruno Silva >> >> *Sent:* Thursday, June 21, 2012 11:12 PM >> *To:* <[email protected]> >> *Subject:* Re: [OSL | CCIE_Security] Need help understanding "no-alias" >> NAT option**** >> >> ** ** >> >> Hi Eugene,**** >> >> ** ** >> >> Apart from who wrotte the solution for this task, what I think is not the >> case, I have also came across this task and for some reason this is not the >> only wrong thing on it. This is a ipsec ha solution that you're trying to >> configure and for some reason the solution not only does not work as it is >> also confusing in some parts. Since I came across a lot of problems with >> this solution this is what helped me a lot:**** >> >> ** ** >> >> >> http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80278edf.html >> **** >> >> ** ** >> >> Hopefully you can find the same help I found in this document.**** >> >> ** ** >> >> BR,**** >> >> Bruno Silva >> >> Enviado via iPad**** >> >> >> Em 22/06/2012, às 00:27, Mike Rojas <[email protected]> escreveu:**** >> >> Yep, >> >> Anyone who think differently is very appreciated... >> >> Mike **** >> ------------------------------ >> >> From: [email protected] >> To: [email protected]; [email protected] >> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT >> option >> Date: Fri, 22 Jun 2012 03:17:55 +0000**** >> >> Unfortunately it doesn’t make sense to me either because R2 runs in the >> routed mode.**** >> >> I believe it’s just the faulty solution in the first place. I’m not going >> to point fingers who the solution provider is but it’s not IPExperts ;)** >> ** >> >> **** >> >> *From:* Mike Rojas [mailto:[email protected] <[email protected]>] >> >> *Sent:* Thursday, June 21, 2012 8:13 PM >> *To:* Eugene Pefti; [email protected] >> *Subject:* RE: [OSL | CCIE_Security] Need help understanding "no-alias" >> NAT option**** >> >> **** >> >> Hi, >> >> Assuming that the router 2 is not on transparent mode, taking it out it >> wouldnt make much difference, because the packet will be routed to the next >> hop (R2), assuming that there is a route for the network of the ASA to be >> behind router2 on the HSRP routers. It would make sense if they are all on >> the same broadcast domain. >> >> Mike.**** >> ------------------------------ >> >> From: [email protected] >> To: [email protected]; [email protected] >> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT >> option >> Date: Fri, 22 Jun 2012 03:05:49 +0000**** >> >> Hi Mike,**** >> >> Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” >> on the ASA.**** >> >> My question is about why would you do it? Can someone will give me a good >> example?**** >> >> **** >> >> I’m doing a task and it asks to configure a peer for a pair of HSRP >> routers. I’ll have to give a sketch of the topology to make it more or less >> clear:**** >> >> **** >> >> R1----+--- R2-----(163.1.132.0)-----ASA-----R6**** >> >> R3----|**** >> >> **** >> >> So to be precise R1 and R3 should have their IPSec peer set to >> 163.1.132.113 which is ASA interface. **** >> >> The solution configures static NAT on R2 binding 163.1.132.113 to R6 >> loopback:**** >> >> **** >> >> ip nat inside source static 6.0.0.1 163.1.132.113 no-alias**** >> >> **** >> >> If R2 will stop responding to ARP requests sent to 163.1.132.113 how the >> whole thing will work ?**** >> >> **** >> >> Eugene**** >> >> **** >> >> **** >> >> *From:* Mike Rojas [mailto:[email protected] <[email protected]>] >> >> *Sent:* Thursday, June 21, 2012 7:54 PM >> *To:* Eugene Pefti; [email protected] >> *Subject:* RE: [OSL | CCIE_Security] Need help understanding "no-alias" >> NAT option**** >> >> **** >> >> Hey Eugene, >> >> Are you familiar with proxyARP? Basically, the router will answer arp for >> any address that is on its range assigned to a particular interface >> associated with a NAT right? well, this command will stop the router so it >> doesnt do it anymore. >> >> Mike **** >> ------------------------------ >> >> From: [email protected] >> To: [email protected] >> Date: Fri, 22 Jun 2012 02:44:22 +0000 >> Subject: [OSL | CCIE_Security] Need help understanding "no-alias" NAT >> option**** >> >> What are use cases of this “no-alias” NAT option. All references I found >> in Cisco docs say little to me. **** >> >> **** >> >> Quoting:**** >> >> **** >> >> • *Autoaliasing of Pool Addresses:***** >> >> Many customers want to configure the NAT software to translate their >> local addresses to global addresses allocated from unused addresses from an >> attached subnet.**** >> >> This requires that the router answer ARP requests for those addresses so >> that packets destined for the global addresses are accepted by the router >> and translated. **** >> >> (Routing takes care of this packet delivery when the global addresses are >> allocated from a virtual network which isn't connected to anything.) When a >> NAT pool used **** >> >> as an inside global or outside local pool consists of addresses on an >> attached subnet, the software will generate an alias for that address so >> that the router will answer **** >> >> ARPs for those addresses.**** >> >> **** >> >> This automatic aliasing also occurs for inside global or outside local >> addresses in static entries. It can be disabled for static entries can be >> disabled by using the "no-alias" keyword:.**** >> >> ip nat inside source static <local-ip-address> <global-ip-address> >> no-alias**** >> >> **** >> >> Why would the router NOT reply on behalf of those global addresses ?**** >> >> **** >> >> Eugene**** >> >> >> _______________________________________________ For more information >> regarding industry leading CCIE Lab training, please visit >> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com**** >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com**** >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
